The FCA has made it clear: non-financial misconduct is now a core conduct risk. Serious behaviours such as bullying, harassment, intimidation, and violence must be identified, assessed, and managed with the same rigour as traditional compliance risks.
Key takeaways
- Non-financial misconduct is a regulatory priority: Behaviours like bullying, harassment, and intimidation are treated as core conduct risk under the FCA Code of Conduct.
- Culture is a control: Leadership behaviour and consistent enforcement shape organisational norms and reduce conduct risk.
- Consistency and evidence are essential: Firms must monitor, investigate, and act on misconduct with auditable processes.
- Cross-functional governance works best: Compliance, HR, Legal, and business leaders must align on standards, investigations, and consequence management.
- Remote, hybrid, and third-party contexts need oversight: Behavioural expectations extend to virtual work and external partners.
- Measurement drives improvement: MI, dashboards, and regular reporting enable detection, escalation, and learning.
- Early intervention prevents escalation: Acting swiftly on small signals reduces root causes, reputational harm, and potential regulatory consequences.
This shift in the way the FCA view non-financial misconduct is not about "bad apples". This is a systemic risk that arises from normalised shortcuts, muted challenge, and weak consequences. Leadership matters: when senior figures breach standards without consequence, compliance becomes optional.
FCA guidance on non-financial misconduct
The FCA’s Policy Statement PS25/23: Tackling non-financial misconduct in financial services and the regulator's guidance on non-financial misconduct set out how firms should manage culture and conduct risk. Key takeaways include:
- Integration into the FCA Code of Conduct (COCON): Misconduct like bullying, harassment, or intimidation can now constitute breaches of the FCA Code of Conduct under SMCR.
- Fitness and propriety considerations: Behaviours outside financial rules are relevant when assessing whether staff are fit and proper for their roles.
- Consistency and evidence: Firms must demonstrate how they monitor, investigate, and mitigate misconduct, including lessons learned and measures to reduce recurrence risk.
Culture is the Operating System
Culture and conduct manifest in everyday behaviours, micro-cultures, tolerated shortcuts, and the speed of escalation. Profit-first mindsets, protected "rainmakers," or repeated minor breaches such as expense misuse or casual harassment can suppress challenge and amplify conduct risk.
Firms claiming a "great culture" without evidence, such as Management Information (MI), case trends, escalation timelines, surveys, exit interviews, or seniority-based outcomes, expose themselves to regulatory scrutiny.
Operationalising conduct risk
To comply with FCA non-financial misconduct expectations, firms should:
- Align governance and standards
Establish clear investigation thresholds, documentation, and auditable rationales across Compliance, HR, Legal, and business teams. - Map behavioural risk
Identify hotspots where revenue pressure, dependency, or weak supervision intersect. - Enable managers
Provide scenario-based training linking behaviour to regulatory consequences, empowering early intervention while maintaining psychological safety. -
Strengthen speak-up channels
Track not just volume but timeliness, perceived fairness, and follow-up actions. - Monitor and measure
Use MI to track complaints, disciplinary outcomes, turnover, engagement, and repeated breaches.
Managing remote and hybrid supervision
Hybrid working increases the need for culture and conduct oversight. Firms should codify expectations for virtual meetings, chats, and social channels (monitor exclusion, inappropriate language, and retaliation) and ensure escalation processes are clear for junior staff.
Case Snapshot: BrewDogBrewDog illustrates how cultural and governance issues can become serious organisational and reputational risks when growth outpaces controls. The business, founded in 2007 and known for its rebellious "punk" branding and innovative crowdfunding model, has faced sustained criticism over workplace culture, employee treatment, and leadership conduct. These are issues that have ultimately contributed to its dramatic downturn. |
Building structure, not just intent
Firms should implement:
- Cross-functional conduct committees
Clear decision rights and accountability for outcomes. - Consequence management frameworks
Transparent thresholds, processes, and scenario-based guidance. - Evidence and transparency
Protect confidentiality, but share de-identified lessons and align manuals with employee handbooks.
How to manage third-party conduct risk
Firms cannot outsource culture. It is important for companies to maintain inventories of all contractors, suppliers, and client-facing partners in order to assess their conduct policies and escalation routes. From there, they can document interventions where misconduct arises.
Misconduct measurement and accountability
Companies need to treat non-financial misconduct as a governance mandate. Dashboards should track:
-
Bullying, harassment, and whistleblowing reports
-
Expense violations and other conduct indicators
-
Training completion and scenario performance
-
Exit interview themes, turnover, and repeat offenders
-
Outcome consistency across teams, functions, and seniority
Act on patterns with coaching, training, leadership changes, or structural fixes. Document actions, especially where high-performers create risk.
Implementation checklist for firms
-
Update policies and the FCA Code of Conduct to cover off-site and online interactions
- Standardise investigation frameworks with thresholds, rationales, and decision rights
- Enable managers with scenario training and psychological safety guidance
- Strengthen speak-up mechanisms with fairness and timeliness tracking
- Build dashboards linking MI to board reporting, remuneration, and conduct outcomes
- Ensure consistent consequence management and cross-grade calibration
- Monitor third-party adherence to standards
- Codify and enforce remote/hybrid conduct norms
FCA non-financial misconduct is no longer optional. Culture is a control, and inconsistency amplifies risk. Regulators expect firms to detect, assess, act, and learn. Cross-functional governance, consistent enforcement, third-party oversight, and robust measurement transform culture into a strategic asset; protecting people, sustaining trust, and reducing legal, financial, and customer harm.
FCA non-financial misconduct: FAQs
What is non-financial misconduct and what behaviours are in scope?
Non-financial misconduct (NFM) covers misconduct that is not financial in nature. It includes bullying, harassment, violence, and other inappropriate behaviours that impact workplace conduct and culture.It is not limited to discrimination linked to protected characteristics under the Equality Act; non-discriminatory bullying or harassment is also in scope. Not every instance of poor behaviour constitutes a breach, but repeated, serious, or impactful misconduct can cross the threshold.
Why is NFM a regulatory priority now?
With the UK government emphasising lighter, faster, less prescriptive regulation, more responsibility shifts to firms to manage culture and conduct proactively. The FCA’s latest rules and guidance (effective 1 September) make clear that NFM will be treated like any other compliance risk. Firms are expected to identify, assess, and manage these risks and demonstrate reasonable steps taken to prevent and address misconduct.
What is changing under SMCR and conduct rules?
From 1 September, the FCA will treat NFM under COCON (conduct rules) and FIT (fitness and propriety) for all SMCR firms, with non-banks seeing a significant expansion of scope. The FCA is also removing the Form H/REP008 conduct rule breach return, but this is not a relaxation of standards—firms still need strong oversight and evidence of adherence to the conduct rules. Anticipated later SMCR changes are largely process-related, not a rollback of roles or responsibilities.
What lessons do case studies like BrewDog offer?
This shows how 'win at all costs' mindsets can damage reputation, governance, and long-term value. BrewDog’s ‘punk’ brand became intertwined with allegations of toxicity, illustrating that culture is not just an HR issue, but a reputational and governance risk. The key lesson: strategy will override policy unless compliance and conduct expectations are hardwired into everyday decisions and leadership actions.
Who should own NFM and culture risk - HR or Compliance?
Both. Effective management requires joint ownership and close coordination among HR, Compliance, Legal, Risk, and line
management. Many firms are creating conduct or standards committees that combine these functions. Transparency, consistency, and clear decision rights are crucial; committees should be tightly scoped with defined decision-makers to preserve confidentiality and speed.
How should firms respond to incidents of NFM?
Act quickly, take ownership, and be consistent. Steps include: prompt triage and fair investigation; alignment among HR, Compliance, and Legal; applying consequence management frameworks proportionately; documenting the rationale; and communicating outcomes internally with a level of detail that educates without breaching confidentiality. Make clear when regulatory references will reflect misconduct and ensure the individual is informed.
Written by: Emmeline de Chazal
Emmeline is an experienced digital editor and content marketing manager. She has a demonstrated history of working in both the education management and software industries. Emmeline has a degree in business science, and her skillset includes Search Engine Optimisation (SEO), Answer Engine Optimisation (AEO) and digital marketing analytics. She is passionate about education and utilising her skills to encourage greater access to e-learning.
